Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Unsecured Credentials

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Bash History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).(Citation: Brining MimiKatz to Unix)

ID: T1552
Sub-techniques:  .001 .002 .003 .004 .005 .006 .007 .008
Tactic(s): Credential Access
Platforms: Containers, IaaS, Identity Provider, Linux, macOS, Network, Office Suite, SaaS, Windows
Data Sources: Application Log: Application Log Content, Command: Command Execution, File: File Access, Process: Process Creation, User Account: User Account Authentication, Windows Registry: Windows Registry Key Access
Version: 1.4
Created: 04 Feb 2020
Last Modified: 14 Oct 2024

Procedure Examples

Name Description
DarkGate

DarkGate uses NirSoft tools to steal user credentials from the infected machine.(Citation: Ensilo Darkgate 2018) NirSoft tools are executed via process hollowing in a newly-created instance of vbc.exe or regasm.exe.

Pacu

Pacu can search for sensitive data: for example, in Code Build environment variables, EC2 user data, and Cloud Formation templates.(Citation: GitHub Pacu)

Astaroth

Astaroth uses an external software known as NetPass to recover passwords. (Citation: Cybereason Astaroth Feb 2019)

Volt Typhoon

Volt Typhoon has obtained credentials insecurely stored on targeted network appliances.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)

NPPSPY

NPPSPY captures credentials by recording them through an alternative network listener registered to the mpnotify.exe process, allowing for cleartext recording of logon information.(Citation: Huntress NPPSPY 2022)

Mitigations

Mitigation Description
Encrypt Sensitive Information

Protect sensitive information with strong encryption.

Update Software

Perform regular software updates to mitigate exploitation risk.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Active Directory Configuration

Implement robust Active Directory configurations using group policies to control access and reduce the attack surface. Specific examples include: * Account Configuration: Use provisioned domain accounts rather than local accounts to leverage centralized control and auditing capabilities. * Interactive Logon Restrictions: Enforce group policies that prohibit interactive logons for accounts that should not directly access systems. * Remote Desktop Settings: Limit Remote Desktop logons to authorized accounts to prevent misuse by adversaries. * Dedicated Administrative Accounts: Create specialized domain-wide accounts that are restricted from interactive logons but can perform specific tasks like installations or repository access. * Authentication Silos: Configure Authentication Silos in Active Directory to create access zones with restrictions based on membership in the Protected Users global security group. This setup enhances security by applying additional protections to high-risk accounts, limiting their exposure to potential attacks.

Password Policies

Set and enforce secure password policies for accounts.

Operating System Configuration

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

Filter Network Traffic

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Limit Access to Resource Over Network

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Detection

While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See Valid Accounts for more information. Monitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior. Monitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like cat ~/.bash_history. Additionally, monitor processes for applications that can be used to query the Registry, such as Reg, and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.